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Abstract 

We study the complexity of securely evaluating arithmetic circuits over finite rings. This question 
is motivated by natural secure computation tasks. Focusing mainly on the case of two-party protocols 
with security against malicious parties, our main goals are to: (1) only make black-box calls to the ring 
operations and standard cryptographic primitives, and (2) minimize the number of such black-box calls 
as well as the communication overhead. 

We present several solutions which differ in their efficiency, generality, and underlying intractability 
assumptions. These include: 

• An unconditionally secure protocol in the OT-hybrid model which makes a black-box use of an 
arbitrary ring R, but where the number of ring operations grows linearly with (an upper bound on) 
log|i?|. 

• Computationally secure protocols in the OT-hybrid model which make a black-box use of an un- 
derlying ring, and in which the number of ring operations does not grow with the ring size. The 
protocols rely on variants of previous intractability assumptions related to linear codes. In the most 
efficient instance of these protocols, applied to a suitable class of fields, the (amortized) commu- 
nication cost is a constant number of field elements per multiplication gate and the computational 
cost is dominated by 0(log fc) field operations per gate, where A: is a security parameter. These 
results extend a previous approach of Naor and Pinkas for secure polynomial evaluation (SIAM J. 
Comput, 35(5), 2006). 

• A protocol for the rings Z m = Z/mZ which only makes a black-box use of a homomorphic 
encryption scheme. When m is prime, the (amortized) number of calls to the encryption scheme 
for each gate of the circuit is constant. 

All of our protocols are in fact UC-secure in the OT-hybrid model and can be generalized to multiparty 
computation with an arbitrary number of malicious parties. 
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1 Introduction 



This paper studies the complexity of secure multiparty computation (MPC) tasks which involve arithmetic 
computations. Following the general feasibility results from the 1980s HYao86llGMW87llBGW88HCCD88L 
much research in this area shifted to efficiency questions, with a major focus on the efficiency of securely 
distributing natural computational tasks that arise in the "real world". In many of these cases, some inputs, 
outputs, or intermediate values in the computation are integers, finite-precision reals, matrices, or elements 
of a big finite ring, and the computation involves arithmetic operations in this ring. To name just a few 
examples from the MPC literature, such arithmetic computations are useful in the contexts of distributed 
generation of cryptographic keys [BF01 , FMY98, PS98, G il99llACS 021. privacy-preserving data-mining and 



statistics BLP02[|Clk + 0ll, comparing and matching data [NP06 ( FNP04, HL08], auctions and mechanism 



design [NPS99, DFK+061 ITof07l lBCD+081 . and distributed linear algebra computations [CD01, NW06 ( 



KM WF071 ICKP07I IMWOBI . 

This motivates the following question: 

What is the complexity of securely evaluating a given arithmetic circuit C over a given finite 
ring Rl 

Before surveying the state of the art, some clarifications are in place. 

Arithmetic circuits. An arithmetic circuit over a ring is defined similarly to a standard boolean circuit, ex- 
cept that the inputs and outputs are ring elements rather than bits and gates are labeled by the ring operations 
add, subtract, and multiply. (Here and in the following, by "ring" we will refer to a finite ring by default.) 
In the current context of distributed computations, the inputs and outputs of the circuit are annotated with 
the parties to which they belong. Thus, the circuit C together with the ring R naturally define a multi-party 
arithmetic functionality C R . Note that arithmetic computations over the integers or finite-precision reals 
can be embedded into a sufficiently large finite ring or field, provided that there is an a-priori upper bound 
on the bit-length of the output. See Section [L4l for further discussion of the usefulness of arithmetic circuits 
and some extensions of this basic model to which our results apply. 

Secure computation model. The main focus of this paper is on secure two-party computation or, more 
generally, MPC with an arbitrary number of malicious parties. (In this setting it is generally impossible 
to guarantee output delivery or even fairness, and one has to settle for allowing the adversary to abort the 
protocol after learning the output.) Our protocols are described in the "OT-hybrid model," namely in a 
model that allows parties to invoke an ideal oblivious transfer (OT) oracle [R ab8U IEGL851 lGol04H . This 
has several advantages in generality and efficiency, see [IPS08] and Section [L4] below for discussion. 

Ruling out the obvious. An obvious approach for securely realizing an arithmetic computation C R is by 
first designing an equivalent boolean circuit C which computes the same function on a binary representation 
of the inputs, and then using standard MPC protocols for realizing C . The main disadvantage of such an 
approach is that it typically becomes very inefficient when R is large. One way to rule out such an approach, 
at least given the current state of the art, is to require the communication complexity to grow at most linearly 
with log \ R\. (Note that even in the case of finite fields with ra-bit elements, the size of the best known 
boolean multiplication circuits is w(nlogn); the situation is significantly worse for other useful rings, such 
as matrix rings.) 

A cleaner way for ruling out such an approach, which is of independent theoretical interest, is by restrict- 
ing protocols to only make a black-box access to the ring R. That is, II securely realizes C if H R securely 
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realizes C R for every finite ring R and every representation of elements in This black-box access to R 
enables II to perform ring operations and sample random ring elements, but the correspondence between 
ring elements and their identifiers (or even the exact size of the ring) will be unknown to the protocol]! When 
considering the special case of fields, we allow by default the protocol II to access an inversion oracle. 



1.1 Previous Work 

In the setting of MPC with honest majority, most protocols from the literature can make a black-box use of 
an arbitrary field. An extension to arbitrary black-box rings was given in HCFIK 031. building on previous 
black-box secret sharing techniques of [DF89, CF02]. 

In the case of secure two-party computation and MPC with no honest majority, most protocols from 
the literature apply to boolean circuits. Below we survey some previous approaches from the literature that 
apply to secure arithmetic computation with no honest majority. 

In the semi-honest model, it is easy to employ any homomorphic encryption scheme with plaintext group 
Z m for performing arithmetic MPC over Z m . (See, e.g., I AF90l lCIK + 0ll .) An alternative approach, which 
relies on oblivious transfer and uses the standard binary representation of elements in Z m , was employed 
in HGil99ll . These protocols make a black-box use of the underlying cryptographic primitives but do not 
make a black-box use of the underlying ring. Applying the general compilers of [ GMW87] ICLOS021 to 
these protocols in order to obtain security in the malicious model would result in inefficient protocols which 
make a non-black-box use of the underlying cryptographic primitives (let alone the ring). 

In the malicious model, protocols for secure arithmetic computation based on threshold homomor- 
phic encryption were given in I1CDN011 lDN03lEl (extending a similar protocol for the semi-honest model 
from [FH96 ]). These protocols provide the most practical general solutions for secure arithmetic two-party 
computation we are aware of, requiring a constant number of modular exponentiations for each arithmetic 
gate. On the down side, these protocols require a nontrivial setup of keys which is expensive to distribute. 
Moreover, similarly to all protocols described so far, they rely on special-purpose zero-knowledge proofs 
and specific number-theoretic assumptions and thus do not make a black-box use of the underlying crypto- 
graphic primitives, let alone a black-box use of the ring. 

The only previous approach which makes a black-box use of an underlying ring (as well as a black-box 
use of OT) was suggested by Naor and Pinkas [NP06 ] in the context of secure polynomial evaluation. Their 
protocol can make a black-box use of any field (assuming an inversion oracle), and its security is related 
to the conjectured intractability of decoding Reed-Solomon codes with a sufficiently high level of random 
noise. The protocol from [NP06] can be easily used to obtain general secure protocols for arithmetic circuits 
in the semi-honest model. However, extending it to allow full simulation-based security in the malicious 
model (while still making only a black-box use of the underlying field) is not straightforward. (Even in the 
special case of secure polynomial evaluation, an extension to the malicious model suggested in [NP06 ] only 
considers privacy rather than full simulation-based security.) 

Finally, we note that Yao's garbled circuit technique [Yao86], which is essentially the only known tech- 
nique for constant-round secure computation of general functionalities, does not have a known arithmetic 



'When considering computational security we will require representations to be computationally efficient, in the sense that given 
identifiers of two ring elements a, b one can efficiently compute the identifiers of a + b, a — b, and a ■ b. 

2 Note that it is not known how to efficiently learn the structure of a ring using a black box access to ring operations, even in the 
special case of general finite fields |BL96 MR07 |. 

3 While | CDN01 , DNQ3) refer to the case of robust MPC in the presence of an honest majority, these protocols can be easily 
modified to apply to the case of MPC with no honest majority. We note that while a main goal of these works was to minimize the 
growth of complexity with the number of parties, we focus on minimizing the complexity in the two-party case. 
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analogue. Thus, in all general-purpose protocols for secure arithmetic computation (including the ones 
presented in this work) the round complexity must grow with the multiplicative deptrQof C. 

1.2 Our Contribution 

We study the complexity of general secure arithmetic computation over finite rings in the presence of an 
arbitrary number of malicious parties. We are motivated by the following two related goals. 

• Black-box feasibility: only make a black-box use of an underlying ring R or field F and standard 
cryptographic primitives; 

• Efficiency: minimize the number of such black-box calls, as well as the communication overhead. 

For simplicity, we do not attempt to optimize the dependence of the complexity on the number of parties, 
and restrict the following discussion to the two-party case. 

We present several solutions which differ in their efficiency, generality, and underlying intractability 
assumptions. Below we describe the main protocols along with their efficiency and security features. An 
overview of the underlying techniques is presented in Section [T31 

An unconditionally secure protocol. We present an unconditionally secure protocol in the OT-hybrid 
model which makes a black-box use of an arbitrary finite ring R, but where the number of ring operations 
and the number of ring elements being communicated grow linearly with (an upper bound on) log \R\. 
(We assume for simplicity that an upper bound on log \R\ is given by the ring oracle, though such an upper 
bound can always be inferred from the length of the strings representing ring elements.) More concretely, the 
number of ring operations for each gate of C is poly(k) ■ log \R\, where A; is a statistical security parameter. 
This gives a two-party analogue for the MPC protocol over black-box rings from [CFIK03], which requires 
an honest majority (but does not require the number of ring operations to grow with log \R\). 

Protocols based on noisy linear encodings. Motivated by the goal of reducing the overhead of the previous 
protocol, we present a general approach for deriving secure arithmetic computation protocols over a ring R 
from linear codes over R. The (computational) security of the protocols relies on intractability assumptions 
related to the hardness of decoding in the presence of random noise. These protocols generalize and extend 
in several ways the previous approach of Naor and Pinkas for secure polynomial evaluation [NP06] (see 
Section 11.31 for discussion). Using this approach, we obtain the following types of protocols in the OT- 
hybrid model. 

• A protocol which makes a black-box use of an arbitrary field F, in which the number of field opera- 
tions (and field elements being communicated) does not grow with the field size. More concretely, the 
number of field operations for each gate of C is bounded by a fixed polynomial in the security param- 
eter k, independently of \F\. The underlying assumption is related to the conjectured intractability of 
decoding a random linear codd^l over F. Our assumption is implied by the assumption that a noisy 
codeword in a random linear code over F is pseudorandom. Such a pseudorandomness assumption 
follows from the average-case hardness of decoding a random linear code when the field size is poly- 
nomial in k (see [BF KL931.IAIK 071 for corresponding reductions in the binary case). 

4 The multiplicative depth of a circuit is the maximal number of multiplication gates on a path from an input to an output. 

5 The above efficiency feature requires that random linear codes remain hard to decode even over very large fields. Note, 
however, that log \F\ is effectively restricted by the running time of the adversary, which is (an arbitrarily large) polynomial in k. 
The assumption can be relaxed if one allows the number of ring operation to moderately grow with log \F\. 
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• A valiant of the previous protocol which makes a black-box use of an arbitrary ring R, and in partic- 
ular does not rely on inversion. This variant is based on families of linear codes over rings in which 
decoding in the presence of erasures can be done efficiently, and for which decoding in the presence 
of (a suitable distribution of) random noise seems intractable. 

• The most efficient protocol we present relies on the intractability of decoding Reed-Solomon codes 
with a (small) constant rate in the presence of a (large) constant fraction of noised The amortized 
communication cost is a constant number of field elements per multiplication gate. (Here and in the 
following, when we refer to "amortized" complexity we ignore an additive term that may depend 
polynomially on the security parameter and the circuit depth, but not on the circuit size. In most 
natural instances of large circuits this additive term does not form an efficiency bottleneck.) 

A careful implementation yields protocols whose amortized computational cost is 0(log k) field op- 
erations per gate, where A; is a security parameter, assuming that the field size is super-polynomial 
in k. In contrast, protocols which are based on homomorphic encryption schemes (such as [CDN01] 
or the ones obtained in this work) apply modular exponentiations, which require Q,(k + log \F\) ring 
multiplications per gate, in a ciphertext ring which is larger than F. This is the case even in the semi- 
honest model. Compared to the "constant-overhead" protocol from [IKOS08] (applied to a boolean 
circuit realizing C F ), our protocol has better communication complexity and relies on a better stud- 
ied assumption, but its asymptotic computational complexity is worse by an 0(log k) factor when 
implemented in the boolean circuit model. 

Protocols making a black-box use of homomorphic encryption. For the case of rings of the form 
Z m = Z/toZ (with the standard representation) we present a protocol which makes a black-box use of 
any homomorphic encryption scheme with plaintext group Z m . Alternatively, the protocol can make a 
black-box use of homomorphic encryption schemes in which the plaintext group is determined by the key 
generation algorithm, such as those of Paillier [Pai99 ] or Damgard-Jurik BDJ0211 . In both variants of the 
protocol, the (amortized) number of communicated ciphertexts and calls to the encryption scheme for each 
gate of C is constant, assuming that m is prime. This efficiency feature is comparable to the protocols 
from [CDN01, DN03 ] discussed in Section [TTT1 above. Our protocols have the advantages of using a more 
general primitive and only making a black-box use of this primitive (rather than relying on special-purpose 
zero-knowledge protocols). Furthermore, the additive term which we ignore in the above "amortized" com- 
plexity measure seems to be considerably smaller than the cost of distributing the setup of the threshold 
cryptosystem required by ICD N011 . 

Both variants of the protocol can be naturally extended to the case of matrix rings Z^ XT \ increasing 
the communication complexity by a factor of n 2 . (Note that emulating matrix operations via basic arith- 
metic operations over Z m would result in a bigger overhead, corresponding to the complexity of matrix 
multiplication.) Building on the techniques from [MW08], this protocol can be used to obtain efficient 
protocols for secure linear algebra which make a black-box use of homomorphic encryption and achieve 
simulation-based security against malicious parties (improving over similar protocols with security against 
covert adversaries IIAL07B recently presented in [MW08]). 

All of our protocols are in fact UC-secure in the OT-hybrid model and can be generalized to multiparty 
computation with an arbitrary number of malicious parties. The security of the protocols also holds against 

s The precise intractability assumption we use is similar in flavor to an assumption used in |NP06 | for evaluating polynomials 
of degree d > 2. With a suitable choice of parameters, our assumption is implied by a natural pseudorandomness variant of the 
assumption from |NP06|, discussed in |KY08 1. The assumption does not seem to be affected by the recent progress on list-decoding 
Reed-Solomon codes and their variants (GS99llCS03llBKY07IIPV05l . 
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adaptive adversaries, assuming that honest parties may erase data. (This is weaker than the standard notion 
of adaptive security MCFGN 96 1 which does not rely on data erasure.) The round complexity of all the 
protocols is a constant multiple of the multiplicative depth of C. 

1.3 Techniques 

Our results build on a recent technique from [IPS08 ] (which was inspired by previous ideas from KKOS07II 
and also [HIKN08]). The main result of [IPS08 ] constructs a secure two-party protocol for a functionality 
/ in the OT-hybrid model by making a black-box use of the following two ingredients: (1) an outer MPC 
protocol which realizes / using k additional "servers", but only needs to tolerate a constant fraction of 
malicious servers; and (2) an inner two-party protocol which realizes in the semi-honest OT-hybrid model a 
reactive two-party functionality defined (in a black-box way) by the outer protocol. The latter functionality 
is essentially a distributed version of the algorithm run by the servers in the outer protocol. 

Because of the black-box nature of this construction, if both ingredients make a black-box use of R 
and/or a black-box use of cryptographic primitives, then so does the final two-party protocol. 

Given the above, it remains to find good instantiations for the outer and inner protocols. Fortunately, 
good instances of the outer protocol already exist in the literature. In the case of general black-box rings, we 
can use the protocol of [CFIK03 ]. In the case of fields, we can use a variant of the protocol from [DI06 ] for 
better efficiency. This protocol has an amortized communication cost of a constant number of field elements 
for each multiplication gate in the circuit. In terms of computational overhead, a careful implementation 
incurs an amortized overhead of 0(log k) field operations per gate, where A; is a security parameter, assum- 
ing that the field size is superpolynomial in k. (The overhead is dominated by the cost of Reed-Solomon 
encoding over the field.) 

Our final protocols are obtained by combining the above outer protocols with suitable implementations 
of the inner protocol. Our main technical contribution is in suggesting concrete inner protocols which yield 
the required security and efficiency features. 

Similarly to [IPS08], the inner protocols corresponding to the outer protocols we employ require to 
securely compute, in the semi-honest model, multiple instances of a simple "product-sharing" functionality, 
in which Alice holds a ring element a, Bob holds a ring element b, and the output is an additive secret 
sharing of ab. (The efficient version of the outer protocol requires the inner protocol to perform only a 
constant amortized number of product-sharings per multiplication gate. All other computations, including 
ones needed for handling addition gates, are done locally and do not require interaction.) In [IPS08 ] such 
a product-sharing protocol is implemented by applying the GMW protocol [GMW87] (in the semi-honest 
OT-hybrid model) to the binary representation of the inputs. This does not meet our current feasibility and 
efficiency goals. 

Below we sketch the main ideas behind different product-sharing protocols on which we rely, which 
correspond to the main protocols described in Section [PI 

Unconditionally secure product-sharing. In our unconditionally secure protocol, Bob breaks his input b 
into n additive shares and uses them to generate n pairs of ring elements, where in each pair one element is 
a share of b and the other is a random ring element. (The location of the share of b in each pair is picked at 
random and is kept secret by Alice. Note that additive secret-sharing can be done using a black-box access 
to the ring oracle.) Bob sends these n pairs to Alice. Alice multiplies each of the 2n ring elements (from the 
left) by her input a, and subtracts from each element in the z-th pair a random ring element tj. This results 
in n new pairs. Bob retrieves from each pair the element corresponding to the original additive share of b by 
using n invocations of the OT oracle. Bob outputs the sum of the n ring elements she obtained, and Alice 
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Outputs Yh=1 ti- 
lt is easy to verify that the protocol has the correct output distribution. The security of the protocol can 
be analyzed using the Leftover Hash Lemma [ILL89]. (Similar uses of this lemma were previously made 
in IHN96[|lKO S061.) Specifically, the protocol is statistically secure when n > log 2 \R\ + k. We note that 
in light of efficient algorithms for low-density instances of subset sum [L085], one cannot hope to obtain 
significant efficiency improvements by choosing a smaller value of n and settling for computational security. 

Product-sharing from linear codes. Our construction for black-box fields generalizes the previous ap- 
proach of Naor and Pinkas [NP06] in a natural way. The high level idea is as follows. Bob sends to Alice 
a noisy randomized linear encoding (or noisy linear secret-sharing) of b which is assumed to hide b. Alice 
uses the homomorphic properties of this encoding to compute a noisy encoding of ab + z for a random z of 
her choice. Bob uses OT to retrieve only the non-noisy portions of the latter encoding. Note that the above 
unconditionally secure protocol can also be viewed as an instance of this general paradigm. 

In more detail, suppose that G is an n x k generating matrix of a linear code C C F n whose minimal 
distance is bigger than d. This implies that an encoded message can be efficiently recovered from any n — d 
coordinates of the encoding by solving a system of linear equations defined by the corresponding sub-matrix 
of G. Now, suppose that G has the following intractability property: the distribution of Gu + e, where u is 
a random message from F k whose first coordinate is b and e is a random noise vector of Hamming weight 
at most d, keeps x semantically secure. (This follows, for instance, from the pseudorandomness of a noisy 
codeword in the code spanned by all but the first column of G.) Given such G the protocol proceeds as 
follows. Bob sends to Alice v = Gu + e as above, where e is generated by first picking at random a subset 
L C [n] of size n — d and then picking ej at random for i L and setting a = for i G L. By assumption, 
v keeps b hidden from Alice. Alice now locally computes v' = a ■ v — Gz, where z is a random message 
in F k . Restricted to the coordinates in L, this agrees with the encoding of a random message whose first 
coordinate is ab — z\. Using the OT-oracle, Bob obtains from Alice only the coordinates of v' with indices 
in L, from which it can decode and output ab — z\. Alice outputs z\. 

The basic secure polynomial evaluation protocol from [NP06 ], when restricted to degree- 1 polynomials, 
essentially coincides with the above protocol when C is a Reed-Solomon code. The extension to general 
linear codes makes the underlying security assumption more conservative. Indeed, in contrast to Reed- 
Solomon codes, the problem of decoding random linear codes is believed to be intractable even for very low 
levels of noise. 

In our actual protocols we will use several different distributions for picking the generating matrix G, 
and allow the noise distribution to depend on the particular choice of G (rather than only on its minimal 
distance). In particular, for the case of general black-box rings we pick G from a special class of codes for 
which decoding does not require inversion and yet the corresponding intractability assumption still seems 
viable. 

Finally, in our most efficient code-based protocol we use Reed-Solomon codes as in [NP06], but extend 
the above general template by letting Bob pack t = Q(k) field elements (&i, . . . ,bt) into the same codeword 
v. This variant of the construction does not apply to a general G, and relies on a special property of Reed- 
Solomon codes which was previously exploited in [FY92 ]. This approach yields a protocol which realizes t 
parallel instances of product-sharing by communicating only 0(t) field elements. 

Product-sharing from homomorphic encryption. Our last product-sharing protocol applies to rings of 
the form 7L m or n x n matrices over such rings and makes a standard use of homomorphic encryption. The 
only technicality that needs to be addressed is that the most useful homomorphic homomorphic encryption 
schemes do not allow to control the modulus m but rather have this modulus generated by the key-generation 
algorithm. However, in the semi-honest model it is simple (via standard techniques) to emulate secure 
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computation modulo m via secure computation modulo any M S> m. 

1.4 Further Discussion 

From the OT-hybrid model to the plain model An advantage of presenting our protocols in the OT-hybrid 
model is that they can be instantiated in a variety of models and under a variety of assumptions. For instance, 
using UC-secure OT protocols from [PVW08, DNO08], one can obtain efficient UC-secure instances of 
our protocols in the CRS model. In the stand-alone model, one can implement these OTs by making a 
black-box use of homomorphic encryption [IKLP06]. Thus, our protocols which make a black-box use of 
homomorphic encryption do not need to employ an additional OT primitive in the stand-alone model. 

We finally note that our protocols requires only 0(k) OTs with security in the malicious model, indepen- 
dently of the circuit size; the remaining OT invocations can all be implemented in the semi-honest model, 
which can be done very efficiently using the technique of [IKNP03]. Furthermore, all the "cryptographic" 
work for implementing the OTs can be done off-line, before any inputs are available. We expect that in most 
natural instances of large-scale secure arithmetic computation, the cost of realizing the OTs will not form an 
efficiency bottleneck. 

Extensions. While we explicitly consider here only stateless arithmetic circuits, this model (as well as our 
results) can be readily generalized to allow stateful, reactive arithmetic computations whose secret state 
evolves by interacting with the parties 

Another direction for extending the basic results has to do with the richness of the arithmetic computa- 
tion model. Recall that the standard model of arithmetic circuits allows only to add, subtract, and multiply 
ring elements. While this provides a clean framework for the study of secure computation over black-box 
rings, many applications depend on other operations that cannot be efficiently expressed in this basic cir- 
cuit model. For instance, when emulating arithmetic computation over the integers via computation over a 
(sufficiently large) finite field, one typically needs to check that the inputs comes from a given range. 

As it turns out, reactive arithmetic computations are surprisingly powerful in this context, and can be 
used to obtain efficient secure realizations of useful "non-arithmetic" manipulations of the state, including 
decomposing a ring element into its bit-representation, equality testing, inversion, comparison, exponentia- 
tion, and others flDFK+06lProf07l These reductions enhance the power of the basic arithmetic model, and 
allow protocols to efficiently switch from one representation to another in computations that involve both 
boolean and arithmetic operations. 

1.5 Roadmap 

We now briefly outline the structure of the rest of this paper. Our basic definitions, including those of black- 
box computational rings and our notion of security in this context, are given in Section 2. To achieve our 
results (focusing on the two-party setting), recall that our overall technical approach is to invoke [IPS08 ], 
which gives a general blueprint for constructing efficient protocols by combining an "outer MPC protocol" 
secure against active adversaries in the honest majority setting, with an "inner two-party protocol" for simple 
functionalities that need only be secure against passive adversaries. We will give the details of this in Section 
5, but the bottom line (as discussed above) is that existing protocols (some with minor modifications) suffice 
for the outer MPC protocols, and all we need to provide are efficient inner protocols secure against passive 

An ideal functionality which formally captures such general reactive arithmetic computations was defined in | DN03 1 (see 
also |Tof07 Chapter 4]) and referred to as an arithmetic black-box (ABB). All of our protocols for arithmetic circuits can be 
naturally extended to realize the ABB functionality. 



7 



adversaries. Furthermore, since we are in the setting of passive adversaries, the only functionality that we 
need the inner protocol to compute is a basic ring multiplication function, at the end of which the two parties 
should hold additive shares of the product of their respective inputs. To construct efficient protocols for this 
basic functionality, we examine three approaches. Our first two approaches are based on "noisy encodings" 
of various types, which we define in Section 3, and the last approach is based on homomorphic encryption. 
The actual protocols ("inner two-party protocols") based on these three approaches are given in Section 4. 

2 Preliminaries 

Black-box rings and fields. A probabilistic oracle R is said to be a valid implementation of a finite ring R 
if it behaves as follows: it takes as input one of the commands add, subtract, multiply, sample and two m 
bit "element identifiers" (or none, in the case of sample), and returns a single m bit string. There is a one- 
to-one mapping label : R <^-> {0, l} m such that for all x,y € R R(op, label(x), label(y)) = label(x * R y) 
where op is one of add, subtract and multiply and *r is the ring operation +, — , or • respectively. When an 
input is not from the range of label, the oracle outputs _L. (In a typical protocol, if a _L is ever encountered 
by an honest player, the protocol aborts.) The output of R(sample) is label(x) where x will be drawn 
uniformly at random from R. We will be interested in oracles of the kind that implements a family of rings, 
of varying sizes. Such a function should take an additional input id to indicate which ring it is implementing. 

Definition 2.1 A probabilistic oracle 3? is said to be a concrete ring family (or simply a ring family) if , for 
all strings id, the oracle 3?(id, •) (i.e., with first input being fixed to id), is an implementation of some ring. 
This concrete ring will be denoted by 3?^. 

Note that so far we have not placed any computability requirement on the oracle; we only require a concrete 
mapping from ring elements to binary strings. However, when considering computationally secure protocols 
we will typically restrict the attention to "efficient" families of rings: we say 3? is a computationally efficient 
ring family if it is a ring family that can be implemented by a probabilistic polynomial time algorithm. 
There are some special cases that we shall refer to: 

1. Suppose that for all id, we have that %^ is a ring with an identity for multiplication, 1. Then, we call 
3? a ring family with inverse if in addition to the other operations, 3l(id,one) returns labelj C |(l) and 
3?(id, invert, labeljd(:r)) returns labelid(a; _1 ) if x is a unit (i.e., has a unique left- and right-inverse) 
and _L otherwise. 

2. If 31 is a ring family with inverse such that for all id the ring 3?^ is a field, then we say that 31 is afield 
family. 

3. We call a ring family with inverse % a pseudo-field family, if for all id, all but negligible (in |id|) 
fraction of the elements in the ring 3?^ are units. 

Some special families of rings we will be interested in, other than finite fields, include rings of the 
form Z m = Z/mZ for a composite integer m (namely, the ring of residue classes modulo m), and rings 
of matrices over a finite field or ring. With an appropriate choice of parameters, both of these families are 
in fact pseudo-fields. Note that a concrete ring family 31 for the rings of the form 7L m could use the binary 
representation of m as the input id; further the elements in Z m could be represented as [log m~\ -bit strings in 
a natural way. Of course, a different concrete ring family for the same ring can use a different representation. 

Finally, for notational convenience we assume that the length of all element identifiers in 3?^ is exactly 
|id|. In particular, the ring 31^ has at most 2l ld l elements. 
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Arithmetic circuits. An arithmetic circuit is a circuit (i.e., a directed acyclic graph with the nodes labeled 
as input gates, output gates or internal gates), in which the internal gates are labeled with a ring operation: 
add, subtract or multiply. (In addition, for fields, one often considers the additional constant gate one.) 
An arithmetic circuit C can be instantiated with any ring R. We denote by C R the mapping (from a vector 
of ring elements to a vector of ring elements) defined in a natural way by instantiating C with R. For a 
concrete ring family 51, we denote by C K the mapping which takes an id and a vector of input identifiers 
and outputs the corresponding vector of output identifiers. (If any of the inputs is not a valid identifier, 
outputs _L.) 

In the context of multi-party computation, each input or output to such a circuit is annotated to indicate 
which party (or parties) it "belongs" to. Given such an annotated circuit C and a concrete ring family 51, we 
define the functionality to behave as follows: 

• The functionality takes id as a common (public) input, and receives (private) inputs to C from each 
party. It then evaluates the function C^id, inputs) using access to 51, and provides the outputs to the 



Protocols securely realizing arithmetic computations. We follow the standard UC-security framework 
[Can05]. Informally, a protocol ir is said to securely realize a functionality T if there exists a PPT simu- 
lator Sim, such that for all (non-uniform PPT) adversaries Adv, and all (non-uniform PPT) environments 
Env which interact with a set of parties and an adversary, the following two scenarios are indistinguishable: 
the REAL interaction where the parties run the protocol it and the adversary is Adv; the IDEAL interaction 
where the parties communicate directly with the ideal functionality T and the adversary is Sim Adv . Indis- 
tinguishability can either be statistical (in the case of unconditional security) or computational (in the case 
of computational security). All parties, the adversary, the simulator, the environment and the functionality 
get the security parameter k as implicit input. Polynomial time computation, computational or statistical in- 
distinguishability and non-uniformity are defined with respect to this security parameter k. However, since 
we don't impose an a-priori bound on the size of the inputs received from the environment, the running time 
of honest parties is bounded by a fixed polynomial in the total length of their inputs (rather than a fixed 
polynomial in k). 

We distinguish between static corruption and adaptive corruption. In the latter case it also makes a 
difference whether the protocols can erase their state (so that a subsequent corruption will not have access 
to the erased information), or no erasure is allowed. Our final protocols will have security against adaptivd^] 
corruption in the model that allows honest parties to erase their state information, but as an intermediate 
step, we will consider protocols which have security only against static corruption. 

We shall consider protocols which make oracle access to a ring family 51. For such a protocol we 
define its arithmetic computation complexity as the number of oracle calls to 51. Similarly the arithmetic 

s J-c can take id as input from each party, and ensure that all the parties agree on the same id. Alternately, we can restrict to 
environments which provide the same common input id to all parties. In this case id could be considered part of the specification 
of the functionality, more appropriately written as jf^. 

9 One of the reasons for us to aim for adaptive security with erasure is that we will be relying on the main protocol compiler 
of | IPS08 1 , as described informally in the Introduction and treated more formally in Section [5] This compiler requires that the 
component protocols, the "outer MPC protocol" and the "inner two-party protocol," both enjoy adaptive security - the outer protocol 
must be adaptively secure in the model without erasures, but the inner protocol can be adaptively secure with erasures (in the OT- 
hybrid model). Note that the conference version of [ IPS08 1 incorrectly claimed that the main protocol's proof of security works 
even when the inner protocol is only statically secure, but this does not seem to be the case. However, this issue does not present 
any problems for us here, as we are easily able to modify our proposed "inner" protocols to achieve adaptive security with erasures 
using standard techniques, as detailed in Appendix [A] 
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communication complexity is defined as the number of ring-element labels in the communication transcript. 
The arithmetic computation (respectively communication) complexity of our protocols will dominate the 
other computation steps in the protocol execution (respectively, the number of other bits in the transcript). 
Thus, the arithmetic complexity gives a good measure of efficiency for our protocols. 

Note that while any computational implementation of the ring oracle necessarily requires the complexity 
to grow with the ring size, it is possible that the arithmetic complexity does not depend on the size of the 
ring at all. 

We now define our main notion of secure arithmetic computation. 

Definition 2.2 Let C be an arithmetic circuit. A protocol it is said to be a secure black-box realization of 
C -evaluation for a given set of ring families if for each 01 in the set, 

1. 71"^ securely realizes Fq, and 

2. the arithmetic (communication and computation) complexity ofir is bounded by some fixed polyno- 
mial in k and |id[ (independently of 01). 

In the case of unconditional security we will quantify over the set of all ring families, whereas in the case 
of computational security we will typically quantify only over computationally efficient rings or fields^ In 
both cases, the efficiency requirement on n rules out the option of using a brute-force approach to emulate 
the ring oracle by a boolean circuit. 

We remark that our constructions will achieve a stronger notion of security, as the simulator used to 
establish the security in item (l) above will not depend on 01. A bit more precisely, the stronger definition is 
quantified as follows: there exists a simulator such that for all adversaries, ring families, and environments, 
the ideal process and the real process are indistinguishable. For simplicity however we phrase our definition 
as above which does allow different simulators for different 01. 

3 Noisy Encodings 

A central tool for our main protocols is a noisy encoding of elements in a ring or a field. In general this 
encoding consists of encoding a randomly padded message with a (possibly randomly chosen) linear code, 
and adding noise to the codeword obtained. The encodings will be such that, with some information re- 
garding the noise, decoding (of a codeword derived from the noisy codeword) is possible, but otherwise the 
noisy codeword hides the message. The latter will typically be a computational assumption, for parameters 
of interest to us. 

We shall use two kinds of encodings for our basic protocols in Section @] The first of these encodings 
has a statistical hiding property which leads to a statistically secure protocol (in the OT-hybrid model). The 
other kind of encoding we use (described in Section [372]) is hiding only under computational assumptions. 
In fact, we provide a general template for such encodings and instantiate it variously, leading to different 
concrete computational assumptions. 

3.1 A Statistically Hiding Noisy Encoding 

• Encoding of x, Enc^(id, x): Here x € 01-^; n is a parameter of the encoding. 

10 This is needed only in the constructions which rely on concrete computational assumptions. A computationally-unbounded 
ring oracle can be used by the adversary to break the underlying assumption. 
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- Denote 3?^ by R. 

- Pick a "pattern" a € {0, l} n . 

- Pick a random vector u G i? n conditioned on ^™ =1 Uj = x. 

- Pick a pair of random vectors (v°, v 1 ) S R n x i? n , conditioned on -u^ 1 = itj. That is, the vector 
u is "hidden" in the pair of vectors v° and t; 1 according to the pattern a. 

- Output (v°,v l ,a). 

The encoding could be seen as consisting of two parts (v°,v l ) and a, where the latter is information 
that will allow one to decode this code. For x € R, let S x ' denote the distribution of the first part of the 
encoding Enc^(id, x), namely (v ^ 1 ). 

This simple encoding has the useful property that it statistically hides x when the decoding information 
a is removed. The proof of this fact makes use of the Leftover Hash Lemma [ILL89] (similarly to previous 
uses of this lemma in llrN96lliKOS06ll '). 

Lemma 1 Let n > log \R\ + k. Then, for all x € R, the statistical distance between the distribution of 
Sx ,n and the uniform distribution over R n x R n is 2~^ k \ 

PROOF: Consider the hash function family TC that consists of functions H v o v i : {0, 1}™ — > R, where 
(f ,^ 1 ) € R n x R n , defined as H v o v i(a) := X^vf*. It is easily verified that this is a 2-universal hash 
function family. Then, by the Leftover Hash Lemma, 

11 HeH 

where W/ 0j nn stands for the uniform distribution over {0, l} n and A denotes the statistical difference be- 
tween two distributions. 

To prove the lemma we make use also of the following symmetry between all the possible outcomes 
of the hash functions: There is a family of permutations on TC, {vr a |a € R} such that for all z E R, 
Pt[z\H] = Pv[z + a\Tr a (H)] (where Pr[z|iT] is a shorthand for Pr a <-io,l} n [H (c) = z\). In particular we 
can set ir a (H v o v i) := H u o u i where u° (respectively u 1 ) is identical to v° (respectively v 1 ) except for the 
first co-ordinate which differs by a: u\ — v J = u\ — v \ = a. Then, 



1 1 HeH 1 1 HeHzeR V 117 

^EE(Wi^(*)]-^i) 



zeRHen 

= |— |- ^2 \\P T [x\H] — - — -M because ir x ^ z is a permutation 

' ' 2 HeH ^ ' ' ' 

= ±J2 (Vi^m - l) because with Pr ^l = |^[. Pr N = y^|- 

Note that the last expression is indeed the statistical difference between S x ' and Urti x ^ . To complete the 
proof note that we have already bounded the first quantity by 2~ r2 ( n ~ lo s 1^1). □ 
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3.2 Linear Code Based Encodings 

We describe an abstract noisy encoding scheme for a ring family 01. The encoding scheme is specified using 
a code generation algorithm Q : 

• Q is a randomized algorithm such that G^(\d) outputs (G, H, L) where G is an n x k matrix, LC [n], 
\L\ = I and H is another matrix. We note that only G and L will be used in the noisy encoding 
process; H will be useful in describing the decoding process. 

Here k is the security parameter as well as the code dimension, and n{k) (code length) and £(k) (number of 
coordinates without noise) are parameters of Q. In our instantiations n will be a constant multiple of k and 
in most cases we will have £ = k. 

Let 31 be a ring family and R = Jl-^ from some id. Given Q, a parameter t(k) < k (number of ring 
elements to be encoded, t = 1 by default), and x E R l , we define a distribution 8^, t \(x), as that of the 
public output in the following encoding process: 

• Encoding Encode^. t \ (id, x): 

- Input: x = (xi, . . . , xt) G R l - 

- Let (G, L, H) <- £ K (id) 

- Pick a random vector u € R k conditioned on U{ = x% for i = 1, . . . , t (i.e., u is x padded with 
k — t random elements). Compute Gu £ R n . 

- Pick a random vector v <— R n , conditioned on Vi := (Gu)i for i G L. 

- Let the private output be (G, L, H, v) and the public output be (G, v) (where each ring element 
is represented as a bit string obtained by the mapping label used by 51). 

The matrix H is not used in the encoding above, but will be required for a decoding procedure that our 
protocols will involve. In our main instantiations H can be readily derived from G and L. But we include H 
explicitly in the outcome of Q, because in some cases it is possible to obtain efficiency gains if (G, H, L) are 
sampled together. We sketch one such case when we describe "Ring code based encoding" in Section l3.2.1l 

Assumption 1 (Generic version, for a given Q, 3? and t(k).) For all sequences {(id^, Xk, Uk)}k, let Rk = 
%d k , and suppose x^^Vk £ R\ • Then the ensembles {£^s(z)}& and {£^ fc ^(y)} fc are computationally 
indistinguishable. 

For the sake of reference to some previously studied assumptions, we also define a simpler (but stronger) 
generic assumption, which implies the above version: 

Assumption 2 (Generic pseudorandomness version, for a given Q and 3?.) For any sequence {\dk\k, 
let Rk = 3?jd fc - Then the ensembles {£^ fc ^(0*( fc ))};% and {{G <— Q Rk ,v <— R%)}k are computationally 
indistinguishable. 

3.2.1 Instantiations of the Encoding 

The above generic encoding scheme can be instantiated by specifying a code generation algorithm Q, a ring 
family, and the parameter t(k) which specifies the length of the input to be encoded. We consider three such 
instantiations. 
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Random code based instantiation. Our first instantiation of the generic encoding has t(k) = 1 and uses 
a code generation algorithm £/R a nd based on a random linear code. Here the ring family is any field family 
3~. ^R anc j(id) works as follows: 

• Let k = |id|. Let n = 2k and I = k. Denote 3"^ by F. 

• Pick a random n x k matrix G <— F nxk . 

• Pick a random subset L C [re], \L\ = k, such that the k x k submatrix G\l is non-singular, where G\l 
consists of those rows in G whose indices are in 

• Let H be the k x k matrix such that HG\l = I, the k x k identity matrix. (This H will be used in 
our protocol constructions.) 

The following variants of this instantiation are also interesting: 

• Instead of choosing n(k) = 2k, we can choose n(k) > 2k + log c \F\ for some c < 1 (say c = \). 
By choosing a larger re we essentially weaken the required assumption. (We remark that the case of 
n(k) > log |F| is not of much interest to us here, because then our construction which employs this 
assumption is bettered by our unconditional construction.) 

• The above encoding can be directly used with a pseudo-field family instead of a field family. Note 
that the invertibility of elements was used in deriving H, but in a pseudo-field, except with negligible 
probability this derivation will still be possible. 

Ring code based instantiation. Our next instantiation also has t(k) = 1. It uses a code generation 
algorithm ^Ring that works with any arbitrary ring family (not just fields). But for simplicity we will assume 
that the ring has a multiplicative identity lo Here again in the noisy encoding we will use t = 1. £?pj ng (id) 
works follows. 

• Let k = |id|. Let n = 2k and t = k. Denote %^ by R. 

• Pick two k x k random matrices A and B with elements from R, conditioned on them being upper 
triangular and having 1 in the main diagonal. Let G be the 2k x k matrix [ ^ ] . 

• Define L as follows. Let L = {a\, . . . , a^} where <Xj = i or k + % uniformly at random. (That is 
indices the i-th row in either A or B.) 

• Note that G\l is an upper triangular matrix with 1 in the main diagonal. It is easy to compute an upper 
triangular matrix H (also with 1 in the main diagonal) using only the ring operations on elements in 
G\l such that HG\ L = 1. 

Here, instead of choosing two matrices, we could choose several, to make the resulting assumption weaker 
at the expense of increasing n. 

We point out an alternate encoding which would also work with arbitrary rings. One can construct G\l 
and H such that HG\l = I simultaneously by taking a two opposite random walks in the special linear 

"For efficiency of Q, it is enough to try random subsets L C [n] and check if G\l is non-singular; in the unlikely event that no 
L is found in k trials, Q can replace G with an arbitrary matrix with a k x k identity matrix in the first k rows. 

"Rings which do not have 1 can be embedded into a ring of double the size which does have 1, by including new elements a + 1 
for every element a in the original ring, and setting 1 + 1 = 0. 
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group SL(n, R) (i.e., the group of n x n matrices over the ring R, with determinant 1), where each step in 
the walk consists of adding or subtracting a row from another row, or a column from another column; in 
the "opposite" walk, the step corresponding to an addition has a subtraction, and the step corresponding to 
subtraction has an addition. The random walks start from the identity matrix, and will be long enough for 
the generated matrices to have sufficient entropy. Note that in such a scheme, we need to rely on the code 
generation algorithm to simultaneously sample (G,L,H), rather than output just (G,L), because matrix 
inversion is not necessarily easy for all rings. 



Reed-Solomon code based instantiation. In our third instantiation of the generic encoding, we will have 
t(k) to be a constant fraction of k. The code generation algorithm C/rs is based on the Reed-Solomon code, 
and will work with any sufficiently large field family 3~. ^pg(id) works as follows: 

• Let k = |id|. Let n = ck, for a sufficiently large constant c > 4, and £ = 2k — 1. Denote 9^ by F. 

• Pick distinct points £j G F for i = 1, . . . , k, and i?j G F, for i = 1, . . . , n uniformly at random. 

• Define the n x k matrix G so that it extrapolates a degree k — 1 polynomial, given by its value at the 
k points Q, to the n evaluation points That is, G is such that for any u G F k , (Gu)i = P($i) for 
i = 1, ... ,n, where P is the unique degree k — 1 polynomial such that P(d) = Ui for i = 1, . . . , k. 

• Pick L C [n] with \L\ = £ = 2k — 1 at random. 

• Let H be the k x 2k — 1 matrix such that {Hvl)i = Q(Ci)> where Q is the unique degree 2{k — 1) 
polynomial such that Qi'&j) = Vj for all j G L. 

3.2.2 Instantiations of Assumption [J 

Each of the above instantiations of the encoding leads to a corresponding instantiation of Assumption Q] For 
the sake of clarity we collect these assumptions below. 

Assumption 3 (a) [For <?R a nd> with t(k) = 1.] For any computationally efficient field family 3^ for 
all sequences {(idfc, Xk, Uk)}k, let F^ = 9"^,, and suppose Xk,Uk G Fk- Then the ensembles 
{£(g R d i^( x )}k and {&fg R d ij(y)}k are computationally indistinguishable. 

(b) [For t/Ri n g, with t(k) = 1.] For any computationally efficient ring family % for all sequences 
{(\dk,Xk,yk)}k, let R k = ftid fc , and suppose x k ,Vk G Rk- Then the ensembles {£^ k ^ ^(x)} k 
and {£(Jf K are computationally indistinguishable. 

(c) [For £ RS , with t(k) = fc/2.£j| For any computationally efficient field family 3, for all sequences 
{(idfc, Xk, Uk)}k, let Fk = 9~id fc , and suppose Xk,Vk G . Then the ensembles {£(g R t \ {x)}k and 
{£(g R d t)(y)}fe are computationally indistinguishable, for t < k/2. 



13 We require c > 4 so that Assumption (3jc) will not be broken by known list-decoding algorithms for Reed-Solomon codes, 
c = 8 may be a safe choice, with larger values of c being more conservative. 

14 We can make the assumption weaker by choosing smaller values of t, or larger values of n in t/Rs- 
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4 Product-Sharing Secure Against Passive Corruption 

In this section we consider the basic two-party functionality ^"pdt-shr described below 

• A sends a G R and B sends b G R to ^"pdt-shr- 

• -^"pdt-shr samples two random elements z A , z B G R such that z A + z B = ab, and gives z A to A and 
z B to £?. 

When we want to explicitly refer to the ring in which the computation takes place we will write the func- 
tionality as -^pdt-shr- 

We present three protocols based on noisy encodings, with increasing efficiency, but using stronger 
assumptions, in the OT-hybrid model for this functionality (some of which are restricted to when R is a 
field). We then present two protocols based on homomorphic encryption. These protocols are secure only 
against static passive corruption. In Appendix [A] we present a general transformation, that applies to a class 
of protocols covering all our above protocols, to obtain protocols that are secure against adaptive passive 
corruption, with erasures. 

4.1 A Basic Protocol with Statistical Security 

• Protocol p 0T . A holds a G R and B holds b G R. 

- B randomly encodes b as specified in Section l3Tl i.e., let {v°,v l ,o) <— Enc^(id,6). Then 

- B sends (v®, vj) (for i = 1, . . . , n) to A. 

- A picks a random vector t G R n and sets z A = Ya=i sne computes w® = ov® — U and 

w] = av\ - U. 

- A and B engage in n instances of Q OT, where in the i th instance A's inputs are (w®, w\) and 
B's input is crj. B receives wp. 

- A outputs z A . B outputs the sum of all the n elements he received above: i.e., B outputs 

z b ■= = Yl ( av<Ti - **) = ab - zA - 

i i 

We will pick n > log(|i?|) + k. Then we have the following result. 

Lemma 2 Suppose n > log(|i?|) + k. Then protocol p 0T securely realizes ^pdt-shr against static passive 
corruption. The security is statistical. 

PROOF SKETCH: When B is corrupted, it is easy to construct a simulator to obtain perfect security. The 
more interesting case is when A is corrupted. Then the simulator Sim behaves as follows. 

• Send A's input to JF p dt- S hr and obtain z A in response. 

• Set t G R n in .A's random tape such that ^ ti = z A . Note that A's output will then be z A . 

• Sample an element a <— R and run the honest program for B using this input. The only message 
produced by the simulation is a pair of vectors (v°, v 1 ). 
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By Lemma [T] the message produced by the simulator is statistically close to the message produced by B in 
the real execution (both being statistically close to the uniform distribution over R n x R n ), and the simulation 
is statistically indistinguishable from a real execution. □ 



4.2 Basic Protocol Using Linear Codes for Rings 

We improve on the efficiency of the protocol in Section 14.11 by depending on computational assumptions 
regarding linear codes. One advantage of the protocol in this section is that it does not explicitly depend on 
the size of the underlying ring. Restricted to fields, this construction can use the code generation £/R a nd; f° r 
arbitrary rings with unity, the construction can use t/Rj ng . Note that both coding schemes generate (G, L, H) 
such that HG\l = I, which is what the protocol depends on. It uses these codes in a noisy encoding with 
t = 1. 

• Protocol a 0T . A holds a G R and B holds b G R. 

- B randomly encodes b using Encode^ ^ (6) to get (G, H, L, v) as the private output. (Note that 
t = 1 in the encoding, and HG\l = I-) 

- B sends (G, v) to A. 

- A picks a random vector x G R k and sets w = av — Gx. 

- A and B engage in an (^)-OT where A's inputs are (wi, . . . , w n ) and B's input is L. B receives 
Wi for i G L. (Recall that when considering passive corruption, an (^)-OT maybe implemented 
using n instances of (^)-OT. Here OT is a string-OT and the inputs are labels for the ring 
elements.) 

- A outputs z A := xi, the first co-ordinate of x. B outputs z B := (Hwl)i = a ^ ~ x i- 

Lemma 3 If Assumption\J}holds for a code generation scheme Q, with t = 1, then Protocol <7 0T securely 
realizes -Fpdt-shr. against static passive corruption. 

PROOF SKETCH: The interesting case is when A is corrupt and B is honest. Then the simulator Sim 
behaves as follows. 

• Send ^4's input to JF pdt _ shr and obtain z A in response. 

• Set x G R n in A's random tape conditioned on x\ = z A . Note that A's output will then be z A . 

• Sample an element a G R and run the honest program for B using this input. The only message 
produced by the simulation is the pair (G, v). 

(G, v) is the only message output by (simulated) B in the (simulated) protocol. In the real execution 
this message is distributed according to ^ (6) whereas in the simulation it is distributed according to 
£S 1 ^(a). By the assumption in the lemma, we conclude that these two distributions are indistinguishable 
(even if b and a are known), and hence the view of the environment in the real execution is indistinguishable 
from that in the simulated execution. □ 
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4.3 Amortization using Packed Encoding 

In this section we provide a passive-secure protocol in the OT-hybrid model for multiple instances of the 
basic two-party functionality .Fpdt-shr- That is, we realize the two-party functionality ^Sj-shr which takes 
as inputs a G F t and b € F t , and outputs random vectors z A and z B to A and B respectively, such that 
z A + z B = ab := (a\bi, . . . , ath) (note that multiplication in F f refers to coordinate-wise multiplication). 
We use the noisy encoding scheme with the code generation algorithm Grs- We shall choose t = k/2. 

• Protocol r 0T . A holds a = (at, . . . , a t ) £ F* and B holds b = (61, ...,b t )e F\ 

- B randomly encodes x using Encode^ Rg ^ (x) to get (G, H, L, v) as the private output. 

- B sends G and v = (v±, . . . , v n ) G F n to A. Recall that for some degree k — 1 polynomial P^> 

:= Pbi'&i) for i € L (and ^ is a random field element if i ^ L). 

- Note that the points $j and ^« are implicitly specified by G. A picks a random degree k — 1 
polynomial P a such that P a (Ci) = for i = 1, . . . ,t, and also a random degree 2(k — 1) 
polynomial P r . A computes Wi := P (^)uj — Pr($i) for z = 1, . . . , n. 

- A and engage in a ( 2 i!Li) OT, where j4's inputs are (tt>i, . . . , w n ) and B's input is L. P 
receives Wi for i G L. 

- B computes Hw\l- Note that then (Hw\l)i = Q(Ci) where Q is the unique degree 2(k — 1) 
polynomial Q such that Q(i?j) = lUj for i £ L. 

- A sets ^ := P r (Ci) for i = 1, . . . , t. and i? sets := Q(Ci) for i = 1, . . . , i. 

Note that (if A and B are honest), Q is the degree 2(k — 1) polynomial P a Pb — Pr, and hence 
zf + zf = P a ((i)Pb((i) = aA. 

- A outputs z A := (zf, . . . , z A ) and B outputs z B := (z B , . . . , zf). 

Remark about computational efficiency. The computational complexity of Protocol r 0T (ignoring the 
use of OT) is dominated by the evaluation and interpolation of polynomials (note that the matrices G and 
H can be stored in an implicit form just by storing the points and Q). As such, in general the com- 
plexity would be 0(k log 2 k) for randomly chosen evaluation points [vzGG99]. We note, however, that 
this complexity can be reduced to 0(A;logA;) by a more careful selection of evaluation points BvzGG 991. 
at the expense of having to assume that Assumption |3{c) holds also with respect to this specific choice of 
evaluation points. 

Lemma 4 If Assumption \3)[c) holds, then Protocol r 0T securely realizes .T^t-shr' a S a ^ nst static passive 
corruption. 

PROOF SKETCH: The interesting case is when A is corrupt and B is honest. Then the simulator Sim 
behaves as follows. 

• Send A's input a to -^^dt-shr anc ^ obtain z A in response. 

• Set A's random tape so that she picks P r such that P r (d) 
will then be z A . 

• Sample a E F* and run the honest program for B using this input. The only message produced by 
the simulation is the vector v. 



= zf for i = 1, . . . , t. Note that A's output 
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Indistinguishability of the simulation follows because of the assumption in the lemma: given a and b, 
t) ( Q ) anc ^ ^(Grs t) O 3 ) WQ computationally indistinguishable. □ 

4.4 Protocols based on Homomorphic Encryption 

In this section, we construct protocols (secure against passive adversaries) for the basic two-party function- 
ality .Fpdt-shr* based on homomorphic encryption. Since we work in the context of rings, by homomorphic 
encryption (informally speaking), we mean an encryption scheme where it is possible to both: (1) given 
encryptions of two ring elements x and y, it is possible to generate an encryption of x + y; and (2) given a 
ring element a and an encryption of a ring element x, it is possible to generate an encryption of ax. It is 
important to stress two points: 

• Any encryption scheme that is group-homomorphic for the standard representation of the (additive) 
group Z m is immediately homomorphic in our sense with respect to the ring Z m . 

• As such, our notion of homomorphic encryption, even though it is defined in the context of rings, 
is different from and should not be confused with the notion of "fully" or "doubly" homomorphic 
encryption. In particular, we do not require that given encryptions of two ring elements x and y, it is 
possible to generate an encryption of x ■ y, where • is the ring multiplication operation. 

Note that while most homomorphic encryption schemes from the literature fit this definition (since 
they are group-homomorphic for the standard representation of the (additive) group Z m ), some do not; for 
example, the El Gamal encryption scheme is group-homomoiphic for a subgroup of Z*, but there does not 
seem to be any ring structure for which El Gamal encryption would be homomorphic in our sensa^l 

Furthermore, we consider two types of homomorphic encryption schemes. Informally speaking, the 
issue that separates these two types of homomorphic encryption schemes is whether the ring underlying the 
homomorphic encryption scheme can be specified beforehand (which we call a "controlled ring" scheme), 
or whether it is determined by the key generation algorithm (which we call an "uncontrolled ring"). For 
example, the key generation algorithm of the classic Goldwasser-Micali encryption scheme [GM84] based 
on quadratic residuosity always produces keys for a Z2-homomorphic encryption scheme, and is thus a 
"controlled ring" scheme. Note that by considering higher residuosity classes, Benaloh [Ben87 ] similarly 
constructs "controlled ring" homomoiphic encryption schemes for the rings Z p , where p is a polynomially 
bounded (small) prime number. On the other hand, schemes like the Paillier cryptosystem [Pai99j are 
homomorphic with respect to the ring Z n , where n is a randomly chosen product of two large primes chosen 
at the time of key generation; n cannot be specified ahead of time. Thus, the Paillier scheme is an example 
of an "uncontrolled ring" homomorphic encryption scheme. 

We first describe formally what we call "controlled ring" homomorphic encryption: 

Definition 4.1 A "controlled ring" homomorphic encryption scheme corresponding to a concrete ring fam- 
ily % is a tuple of algorithms (G, E, D, C), such that: 

1. (G, E, D) is a semantically secure public-key encryption scheme, except that the algorithm G takes 
as input both l k and id, and the set of values that can be encrypted using the public-key output by G 
are the elements of% l( j. 



15 Since Z* is cyclic, it can be associated with the ring Z p _i; however there does not seem to be any computationally efficient 
way to consider El Gamal encryption to be homomorphic for any nontrivial subring of this ring, as it would seem to require 
computing discrete logarithms in Z* or its subgroups. 
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2. For any x±,X2 S Kjd, given (pk,sk) <— G(l fc ,id) and two ciphertexts c\ = E(pk,x\) and C2 = 
E(pk, X2), we have that C(pk, 01,02) outputs a distribution whose statistical distance to the distribu- 
tion E(pk, x\ + X2) is negligible in k. 

3. For any x, a € given (pk,sk) <— G(l fc ,id) arcc? a ciphertext c = E{pk,x), we have that 
C{pk, c, a) outputs a distribution whose statistical distance to the distribution E(pk, x ■ a) is negli- 
gible in k. 

Such controlled ring homomorphic encryption schemes immediately give rise to a protocol for our basic 
two-party functionality J^t-shr* as we now demonstrate. 

• Protocol 8. A holds a € and B holds b € ftjd- 

- (Initialization) A runs G(l k , id) to obtain (pk, sk). This is done only once, as the same public 
key can be used as many times as necessary. 

- A computes c = E(pk, a), and sends c to B. 

- chooses r G %^ at random, computes d = E(pk,r), and then computes c" = C(pk,C(pk,c,b),c l ) 
and sends c" to A. Note that c" is an encryption of ab + r. B outputs — r. 

- A computes v = D(sk, c"), and outputs v. 

The correctness and privacy properties of this protocol (against passive corruptions) follow immediately 
from the definition of controlled ring homomorphic encryption. 

As mentioned above, unfortunately many known homomorphic encryption schemes do not allow com- 
plete control over the ring underlying the homomorphic encryption scheme, and so they do not satisfy the 
definition of controlled ring homomorphic encryption schemes. We deal with these types of homomorphic 
encryption schemes separately below. 

Definition 4.2 An "uncontrolled ring" homomorphic encryption scheme corresponding to a concrete ring 
family % is a tuple of algorithms (G, E, D, C), such that: 

1. (G, E, D) is a semantically secure public-key encryption scheme, except that the algorithm G outputs 
id along with the public and private keys, and the set of values that can be encrypted using the public- 
key output by G are the elements of%^. Furthermore, it is guaranteed that \ > 2 h , and 1%^ \ < 2 qk 
for some universal constant q. 

2. Given (pk,sk,\d) <— G(\ k ), for any X\,X2 € 3£jd, and given two ciphertexts c\ = E(pk,xi) and 
c-2 = E(pk,X2), we have that C(pk,ci,C2) outputs a distribution whose statistical distance to the 
distribution E(pk, X\ + X2) is negligible in k. 

3. Given (pk,sk,\di) <— G(l k ), for any x,a G given a ciphertext c = E{pk,x), we have that 
C(pk, c, a) outputs a distribution whose statistical distance to the distribution E(pk, a • x) is negli- 
gible in k. 

In the case of uncontrolled ring homomorphic encryption schemes, we will not consider general rings, 
but rather focus our attention on the special case of TLm (i-e. Z/MZ). Here, we will assume that we are 
using the standard representation of this ring (as integers in [0, M — 1] working modulo M). We note that 
this is our only protocol where a specific representation of the underlying ring is important and required for 
our result. In this case, using a little bit of standard additional machinery, we can once again construct a 
quite simple protocol for our basic two-party functionality ^"pdt-shr^ as a show below. 
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• Protocol tj). A holds a E Zm and B holds b £ Z^. 

- (Initialization) Let /c' = [2 log M~\ + 2 + k. A runs G(l fe ') to obtain (pk, sk, N), where N > 
4(2 fc M 2 ). This is done only once, as the same public key can be used as many times as necessary. 

- A computes c = E(pk, a), and sends c to B. 

- B chooses r € Zjv/ and s G Z 2 ( 2 fc M ) at random, computes d = E(pk, r), c" = E(pk, sM), and 
then computes d" using the algorithm C repeatedly so that d" is an encryption of ab + r + sM. 
Note that ab + r + sM < N, by choice of parameters. B then sends d" to A, and outputs — r 
mod M. 

- A computes v = D(sk, d"), and outputs v mod M. 

A straightforward counting argument shows that for any a,b,r G Zjy, setting w = ab + r mod M, 
we have that the statistical distance between the distributions D\ = {ab + r + sM) and D2 = (w + sM), 
where s G Z 2 ( 2 fcM) i s chosen at random, is at most 2~ k . This is because ab + r < 2M 2 , and so there are 
at most 2M choices of s for which w + sM would not be in the support of D\. Thus, by the definition of 
uncontrolled ring homomorphic encryption, the correctness and privacy properties of this protocol (against 
passive corruptions) follow immediately. 

Matrix rings. Although we focus on the case of 7Lm above, it is easy to see that this approach can gener- 
alized to other related settings, such as the ring of n by n matrices over Z^, in a straightforward manner. 
At a high level, this is because any ZM-homomorphic encryption scheme immediately gives rise to an en- 
cryption scheme that is homomorphic for the ring of n by n matrices over Zjv/. In this context, by simply 
encrypting each entry in the matrix, the homomorphic property of matrix addition would follow immedi- 
ately from the homomorphic property with respect to addition of the underlying encryption scheme. The 
slightly interesting case is the "scalar" multiplication (by a known matrix) property of the homomorphic 
encryption scheme. It is easy to see that this property also holds, since each entry of the product matrix is 
just a degree-2 function of the entries of the two matrices being multiplied. Thus, for instance in our case 
of n by n matrices, one can compute the ^pdt shr functionality with only 0(n 2 ) ciphertexts communicated, 
even though no algebraic circuits for matrix multiplication are known (or generally believed to exist) with 
0(n 2 ) gates. 

The discussion regarding matrices above is implicitly written in the context of controlled-ring homo- 
morphic encryption. In the context of uncontrolled-ring homomorphic encryption, using the same ideas, 
Protocol tp can be directly adapted to allow one to compute m degree-2 functions over n variables while 
communicating only 0(m + n) ciphertexts. This allows one to use uncontrolled-ring homomorphic encryp- 
tion to compute the -^"pdt-shr functionality for n by n matrices over Zjf with only 0(n 2 ) ciphertexts (for an 
encryption scheme over Zjy where log N is 0(log n + k + log M)) being communicated. 

5 General Arithmetic Computation against Active Corruption 

As already discussed in Section [T31 our general protocols are obtained by applying the general technique 
of HIPS 08 1 , with appropriate choices of the "outer protocol" and the "inner protocol" that apply to the 
arithmetic setting. 

More concretely, the result from HIPS08H shows how obtain a UC-secure protocol in the OT-hybrid 
model for any (probabilistic polynomial time) two-party functionality / against active corruption by making 
a black-box use of the following two ingredients: 
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1. an "outer protocol" for / which employs k auxiliary parties (servers); this protocol should be UC- 
secure against active corruption provided that only some constant fraction the servers can be cor- 
rupted; and 

2. an "inner protocol" for implementing a reactive two-party functionality ("inner functionality") corre- 
sponding to the local computation of each server, in which the server's state is secret-shared between 
Alice and Bob. In contrast to the outer protocol, this protocol only needs to be secure against passive 
corruption. The inner protocol can be implemented in the OT-hybrid model. 

While the general result of [IPS08] is not sensitive to the type of secret sharing used for defining the 
inner functionality, in our setting it is crucial that any ring elements stored by a server will be secret-shared 
between Alice and Bob using additive secret sharing over the ring. Given our protocols for .T-pdt-shn this will 
let us have the the inner protocol use the ring in a black-box fashion, as described below. 

Note that the only operations that the server in an outer protocol needs to do one of the following 
operations: add two ring elements, multiply two ring elements, sample a ring element uniformly at random, 
or check if two ring elements are equal. If there are oprations which do not involve any ring elements, the 
inputs and outputs to these operations are maintained as bit strings and an arbitrary protocol for boolean 
circuit evaluation (e.g., GMW in the OT-hybrid model) can be employed. Among the operations that do 
involve ring elements, addition and sampling are straightforward: whenever a server in the outer protocol 
needs to locally add two ring elements x, y, this can be done locally in the inner protocol by having each of 
Alice and Bob add their local shares of the two secrets. When a server in the outer protocol needs to sample 
a random ring element, Alice and Bob locally sample the shares of this element. For multiplication, when a 
server needs to multiply two ring elements x, y in the outer protocol, the inner protocol will need to apply a 
sub-protocol for the following two-party functionality: 

• A holds xa and y&, B holds xb and ys- 

• The server should compute random values ca and cb such that ca + cb = (xa + xs)(yA + Vb)- 

• A is given ca and B is given eg. 

The above functionality can be realized (in the semi-honest model) by making two calls to any of the 
product-sharing protocols from Section @] Specifically, a secure reduction from the above functionality to 
•^pdt-shr ma y proceed as follows: 

• A and B engage in two instances of ^pdt-shr with inputs (xa, Vb) and (yA, xb) and obtain (atA, «b) 
and (/3 A , b) where a A + a B = x A ys and (3 A + B = yA%B- 

• A outputs ca ■= XAyA + o.a + Pa and B outputs cb ■= xsyB + as + 0b- 

There will be several such instances of ^"pdt-shr in ea ch round. Note that Protocol r 0T can be used to 
realize multiple instances of J^pdt-shr with a constant amortized algebraic complexity per instance. 

The final type of computation performed by servers involving ring elements is equality check between 
two ring elements. In all the outer protocols we employ, the result of such an equality test is made public. 
(In fact, in our setting of "security with abort," the outer protocols we consider will abort whenever an 
inequality is detected by an honest server in such an equality test.) The corresponding inner functionality 
needs to check that x a + Xb = y a + y&, where x a , y a are identifiers of ring elements known to Alice and 
Xb, yb are known to Bob. One way to do this would be by letting Alice locally compute x a — y a , Bob locally 
compute yb — Xb, and then using an arbitrary inner protocol for boolean circuits for comparing the two 
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identifiers. This relies on our assumption that each ring element has a unique identifier. However, in fact in 
the outer protocols we consider, there is a further structure that allows us to avoid this generic approach. The 
elements to be compared by a server in our outer protocols will always be known to one of the parties (Alice 
or Bob), and hence in a passive-secure implementation this comparison can be done locally by that party. 
(This is referred to as a "type I computation" in [IPS08 ]. Note that given a passive-secure implementation, 
the compiler of [IPS08] ensures over all security.) 

Below we summarize the results we obtain by combining appropriate choices for the outer protocol with 
the inner protocols obtained via the shared-product protocols from SectionH] All these results can be readily 
extended to the multi-party setting as well, where the complexity grows polynomially with the number of 
parties; see Appendix iBl 

Unconditionally secure protocol. To obtain our unconditional feasibility result for black-box rings, we 
use the protocol from [CFIK03] (which makes a black-box use of an arbitrary ring) as the outer protocol 
and the unconditional protocol p 0J to build the inner protocol. This yields the following result: 

Theorem 1 For any arithmetic circuit C, there exists a protocol II in the OT-hybrid model that is a secure 
black-box realization of C -evaluation for the set of all ring families. The security holds against adaptive 
corruption with erasures, in computationally unbounded environments. 

The arithmetic communication complexity of the protocol p 0T , and hence that of the above protocol, 
grows linearly with (a bound on) | log 3^]. (Recall that, by convention, the required upper bound is given 
by |id|; otherwise such a bound can be inferred from the length of identifiers.) 

Protocols from noisy encodings. To obtain a computationally secure protocol whose arithmetic commu- 
nication complexity is independent of the ring, we shall depend on Assumption [JJ instantiated with the code 
generation algorithm (/Rand based on random linear codes. By replacing p 0T by <r 0T (with (/R 3 nd as the code 
generation scheme) in the previous construction we obtain the following: 

Theorem 2 Suppose that Assumption \3\a) holds. Then, for every arithmetic circuit C, there exists a pro- 
tocol I! in the OT-hybrid model that is a secure black-box realization of C -evaluation for the set of all 
computationally efficient field families 3~. The security holds against adaptive corruption with erasures. 
Further, the arithmetic complexity ofU is poly (A;) • \C\, independently of J or id. 

Using (/Ring instead of (/Rand' this result extends to all ring families for which Assumption [TJholds with 
(/Ring. Recall that we propose this assumption for all efficient computational ring families Ji. 

Theorem 3 Suppose that Assumption \3\b) holds. Then, for every arithmetic circuit C, there exists a pro- 
tocol I! in the OT -hybrid model that is a secure black-box realization of C -evaluation for the set of all 
computationally efficient ring families Ji. The security holds against adaptive corruption, with erasures. 
Further, the arithmetic complexity ofU is poly(fc) • \C\, independently ofU or id. 

Finally, our most efficient protocol will be obtained by using a variant of the protocol from [DI061 as 
the outer protocol (see Appendix and an inner protocol which is based on r 0T (with n = O(k) and 
t = f2(/c)). To get the specified computational complexity, the size of the field should be super-polynomial 
in the security parameter. (The communication complexity does not depend on this assumption.) 

Theorem 4 Suppose that Assumption\3\c) holds. Then, for every arithmetic circuit C, there exists a protocol 
IT in the OT -hybrid model with the following properties. The protocol II is a secure black-box realization of 
C -evaluation for the set of all computationally efficient field families J, with respect to all computationally 
bounded environments for which 13^1 is super-polynomial in k. The security ofU holds against adaptive 
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corruption with erasures. The arithmetic communication complexity of TI is 0{\C\ + k ■ depth(C)), where 
depth (C) denotes the depth of C, and its arithmetic computation complexity is 0(log 2 k) ■ (|C| + k ■ 
depth(C)). Its round complexity is 0(depth(C)). 

By using a suitable choice of fields and evaluation points for the Reed-Solomon encoding (see Section FOT ). 
and under a corresponding specialization of Assumption Ec), the computational overhead of the above 
protocol can be reduced from 0(log 2 k) to 0(log k). (In this variant we do not attempt to make a black-box 
use of the underlying field and rely on the standard representation of field elements.) 

Protocols from homomorphic encryption. We also consider protocols which make a black-box0 use of 
homomorphic encryption. These are obtained in a manner similar to above, but using protocols 9 and rp as 
the inner protocols and [CFIK03] as the outer protocol. Using these we obtain the following theorems: 

Theorem 5 For every arithmetic circuit C, there exists a protocol H in the OT-hybrid model, such that for 
every ring family % the protocol H securely realizes T'q by making a black-box use of any controlled- ring 
homomorphic encryption for 31. The security holds against adaptive corruption with erasures. The number 
of invocations of the encryption scheme is poly (A;) • \C\, independently ofR or id. 

Note that the above theorem can be instantiated with the ring of n by n matrices over Z p , and the communi- 
cation complexity of the resulting protocol would be poly{k) ■ \C\ ■ n 2 . Combined with |MW08], this yields 
constant-round protocols for secure linear algebra which make a black-box use of homomorphic encryption 
and whose communication complexity is nearly linear in the input size. 

For the case of fields, we obtain the following more efficient version of the result by using the efficient 
outer protocol from Appendix 

Theorem 6 For every arithmetic circuit C, there exists a protocol H in the OT-hybrid model, such that for 
every field family 3~, the protocol securely realizes J-q by making a black-box use of any controlled- ring 
homomorphic encryption for 3\ The security holds against adaptive corruption with erasures. Further, U 
makes 0(\C\ + k ■ depth(C)) invocations of the encryption scheme, and the communication complexity is 
dominated by sending 0(\C\ + k ■ depth(C)) ciphertexts. 

We also obtain analogous results for uncontrolled-ring homomorphic encryption: 

Theorem 7 For every arithmetic circuit C there exists a black-box construction of a protocol II in the 
OT -hybrid model from any uncontrolled-ring homomorphic encryption for the standard representation of 
the ring family TLm, such that II is a secure realization of C -evaluation for the same ring family under 
the standard representation. The security holds against adaptive corruption with erasures. The number of 
invocations of the encryption scheme is poly(/c) • \C\, independently of id, and the communication complexity 
is dominated by poly (A;) • \C\ ciphertexts. During the protocol, the ring size parameter fed to the encryption 
scheme by honest parties is limited to k! = 0{k + |id|). 

If, further, the ring over which C should be computed is restricted to be a field, there exists a proto- 
col as above which makes 0(\C\ + k ■ depth (C)) invocations of the encryption scheme, and where the 
communication complexity is dominated by sending 0(\C\ + k ■ depth (C)) ciphertexts. 

The efficient version of the above theorem also applies to the case of arithmetic computation over pseudo- 
fields, in scenarios where it is computationally hard to find zero divisors. Furthermore, it can be generalized 
to the ring of n by n matrices, which when used with constructions of uncontrolled-ring TL^ -homomorphic 

16 Here and in the following, when saying that a construction makes a black-box use of a homomorphic encryption primitive we 
refer to the notion of a fully black-box reduction, as defined in |RTV04|. This roughly means that not only does the construction 
make a black-box use of the primitive, but also its security is proved via a black-box reduction. 
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encryption schemes from the literature [Pai99, DJ02] would yield arithmetic protocols for matrices over 
large rings whose complexity grows quadratically with n. 

We finally note that in the stand-alone model, the OT oracle in the above protocols can be realized by 
making a black-box use of the homomorphic encryption primitive without affecting the asymptotic number 
of calls to the primitive. This relies on the black-box construction from [IKLP06 ] and the fact that only 0(k) 
OTs need to be secure against active corruption. Thus, the above theorems hold also in the plain, stand-alone 
model (as opposed to the OT-hybrid UC-model), assuming that the underlying ring has identity!^! 
Acknowledgments. We thank Jens Groth, Farzad Parvaresh, Oded Regev, and Ronny Roth for helpful 
discussions. 
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A Security Against Adaptive Passive Corruption, with Erasures 



Here we present a general transformation, that applies to a class of protocols covering all our protocols from 
SectionlU to obtain protocols that are secure against adaptive passive corruption, in the model with erasures. 
This transformation is done in a simple way using standard techniques. At a high level, the idea is simply to 
call our basic protocol on randomly chosen inputs, erase the "local computations" done while executing the 
basic protocol, and then communicate "corrections" in order to convert the outputs of the random execution 
into the desired outputs for the real inputs (in a manner very similar to Beaver's reduction of OT to random 
OT MBea95ID . Intuitively, in our new protocol, if an adversary adaptively corrupts a party during the initial 
random invocation of the basic protocol, there is no problem since the protocol was anyway run on random 
inputs chosen independently of the parties' actual inputs (although this is not quite accurate, which is why we 
introduce a notion of "special simulation" below). On the other hand, if the adversary corrupts a party after 
the basic protocol is done, then since the party has already erased the local computations of the protocol, 
we are free to choose a "random-looking" output from the basic protocol in such a way that we can use it to 
explain the actual inputs and outputs that we have. 

The main protocol in this section, 7r 0T has security against passive adaptive corruption, with erasures, 
built using any protocol 7r < - )T with a simpler security property described below. Applying the trans- 
formation in this section also has another efficiency advantage in scenarios where pre-processing interaction 
is possible, and this is discussed briefly in a remark at the end of this section. 

A.l Special Simulation Security Against Passive Corruption 

It will be convenient for us to introduce an intermediate notion of security of multi-party computation against 
static passive corruption, which will then enable us to obtain security against adaptive passive corruption 
with erasures. This intermediate security property is quite weak, and is required to hold only against random 
inputs (though the candidates we shall use later in fact satisfy stronger security). 

Let T be a secure function evaluation functionality. We use the following terminology. 

• An environment Env is said to be a random-input environment if it provides independent random 
inputs (according to a specified distribution) to each party. 

• A simulator Sim is said to be a special simulator if it behaves as follows: 

1. Sim sends the corrupt parties' inputs to T, and obtains the outputs from T. 

1. Sim picks random inputs for all the honest parties to he simulated. Sim also sets the random 
tapes of all the parties (corrupt and honest). These choices are (jointly) indistinguishable from 
the uniform (or specified) distribution, even given the input of the corrupt parties. (However 
Sim can correlate these choices with the output obtained from T). 

3. Sim ensures that on interacting with the simulated honest parties, the corrupt parties will produce 
the same outputs as given by T . If this is not the case Sim will abort. Otherwise, it reports the 
view of the corrupt parties in this execution to the environment. 

Definition A.l A protocol tt is said to securely realize T on random inputs, against passive corruption, with 
special simulation if there exists a special simulator Sim such that for all random-input environments Env 
and a static passive adversary Adv, the real execution of the protocol it between the parties is indistinguish- 
able to Env, from an ideal execution of the parties interacting with T and Sim. 
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A.2 Special Simulation Security to Security Against Adaptive Corruption with Erasures 

Given a protocol ir 0J which securely realizes ^"pdt-shr on random inputs, against passive corruption, with 
special simulation, below we show how to construct a protocol tt oj with security against adaptive passive 
corruption, with erasures. 

• Protocol 7r 0T . A holds o£fi and B holds b G R. 

1 . A picks r A € R and B picks r B € R at random. 

2. A and B run 7r 0T with inputs r A and r B respectively, and obtains outputs s A and s B respectively. 
Note that s A + s B = r A r B . 

3. A and B erase the memory used for ir 0J . (They retain the inputs and outputs, namely (r A , s A ) 
and (r B , s B ) respectively.) 

4. A sends a — r A to i?, and B sends 6 — r B to A. 

5. A outputs z A := a(b - r B ) + s A ; B outputs z B := (a - r A )r B + s B . Note that z A + z B = ah. 

We now show the following: 

Lemma 5 For any 7r 0T which securely realizes ^"pdt-shr on random inputs, against passive corruption, with 
special simulation, protocol 7r 0T is a secure realization of ^"pdt-shr against adaptive passive corruption with 
erasures. If the security of tt ot is statistical, so is that ofir 01 . 

PROOF SKETCH: The interesting cases are when during the protocol initially A is corrupted and later B is 
corrupted, or when initially B is corrupted and later A is corrupted. (Recall that all corruptions are passive.) 

Let Env be an arbitrary environment which gives A and B inputs for tt ot . We will consider the case 
when A is corrupted initially and B may be corrupted later. The other case is symmetric for this analysis. 
Our simulator Sim works as follows. 

• Sim sends a to .Fpdt-shr an d obtains z A from it. 

• Sim picks a random value c <— R and sets s A := z A — ac, and also picks a random value r A <— R. 

• Next Sim internally runs the special simulator Sim for ir 0J with r A as input to A. Sim expects to 
interact with an instance of ^"pdt-shr. which, for clarity, we will denote by ^pdt- S hr- Sim simulates 
•^pdt-shr by P rov iding s A as the output for A. 

• If Env instructs to corrupt B before this simulation finishes and the erasure step (step 3) is simulated, 
then Sim obtains the simulated state for B in ir 0T from Sim; then Sim constructs a state for B in 7r 0T 
by combining this with b, the input to B (which is not used until step 4 of the protocol), and reports 
this to Env. 

• If B is still not corrupted at step 4, Sim uses the value c as the simulated message from B to A in step 
4. Note that z A = ac+ s A . 

• By this step B has already erased his state during the execution of ir . So if B is corrupted at any 
point after this, its state can be explained by giving (b, r B , s B ): for this the simulator Sim will obtain 
b by corrupting B in the ideal world, and set r B := b — c and s B := r A r B — s A , where r A and s A are 
the input and output of A in the simulated execution of tt ot . Note that this pair (r B , s B ) is consistent 
with (r A , s A ) by the functionality ^"pdt-shr- 
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The indistinguishability of simulation follows from the two requirements on the simulator Sim for tt . 
that it is a special simulator and that it provides an indistinguishable simulation against static corruption (on 
random inputs). 

If B is corrupted before step 4, the simulated execution is indistinguishable from the real execution. To 
see this, firstly note that Sim is given s A as the output from ^p^t-shr' ^ ut ^ s * s indeed a random element 
(because z A is random). Then, Sim is guaranteed to set the random tape of A, as well as B's input and 
random tape to be indistinguishable from uniformly random choices. So the simulated state of A and 
B are indistinguishable from the real execution up to step 4. The simulated state of B is completed by 
incorporating B's input b (the state used in execution before step 4 being independent of b). 

If B is corrupted after step 4, then we consider the following two experiments, with an environment Env 
which consists of the given environment Env as well as part of our simulator which picks c (but does not 
get z A or compute s A ). The environment Env provides r A as input to A and r B := b — c to B. It outputs 
the bit output by Env. 

REAL: A and B execute 7r 0T on their inputs from Env. 

IDEAL: In the IDEAL execution ^p^t-shr & ves a random pair (s A ,s B ) such that s A + s B = r A r B . Sim 
interacts with Env simulating the internal state of A. 

By the security requirement on Sim, the two experiments are indistinguishable to the environment Env. 
Further the REAL experiment above is identical to the REAL execution of 7r 0T with Env. To complete the 
proof we need to argue that the IDEAL execution above (with Env) is identical to our IDEAL execution (with 
Env). Note that in our description of the simulation s A := z A — ac, whereas in the IDEAL execution with 
Env, s A is just a random element. However, though the environment Env knows a and c, z A will be picked 
at random (by ^pdt-shr i n our IDEAL execution). In other words, we could consider a modified ^p^t-shr wnic h 
receives ac from the environment Env, then picks a random element z A and sets s A := z A — ac, without 
altering the experiment. With this modification, our IDEAL execution (with Env and Sim) is identical to the 
ideal execution with Env and Sim. 

□ 

In Section |4j for the protocols and r 0T we showed security against static passive corruption 

(even for non-random inputs). The simulators we used in these proofs are in fact special simulators. The 
same is easily seen to be true for protocols 6 and ip based on homomorphic encryption. Thus we have the 
following result. 

Lemma 6 Protocols 

7r OT ) a OJ > r OT 

6, and ip securely realize ^pdt-shr (° r -^pcit-shr * n ^ e case °f Protocol 
t ot ), on random inputs, against passive corruption, with special simulation. 

Hence, by plugging them into the protocol n 0J we obtain corresponding protocols which are secure 
against passive, adaptive corruption with erasures. 

Remark. The structure of the protocol in this section allows an efficiency gain by employing pre-processing. 
The first half of the protocol, which is executed on random inputs can be carried out before the actual func- 
tion evaluation starts. Further, when used to implement a reactive functionality, the entire set of steps 
involving OT that will be ever used in the lifetime of the protocol can be carried out up front. In fact, later 
in applying our protocols as the "inner protocol" of the final construction, we can use this reactive variant. 
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B Extension to Multi-Party Computation 



In this section, we briefly sketch what is involved in extending our results to the multi-party case. 

The protocol in [IPS08 ] extends to more than two parties, given inner and outer protocols for that many 
parties. The outer protocols from [DIOjH and [CFIK03] do extend to the multi-party setting (called the 
"multi-client" setting in [IPS08] for more details). Hence by extending our inner protocol to the multi -party 
setting, all our results extend similarly. 

In the general multi-party case the only non-trivial kind of computations carried out by the servers in the 
outer protocol is as follows: 

• Each party Pj (i = 1, . . . , m) sends Xi and to the server. 

• The server computes random values Cj such that EjCj = Each party P, is given a as 
the output. 

A protocol for this using -Fpdt-shr is as follows: 

• For each ordered pair i ^ j, parties Pj and Pj engage in an instance of .Fpdt-shr w i tn inputs 
(xi,yj) and obtain outputs (aq , otf ), respectively, where cq + o^'^ = Xit/j. 



The correctness of this protocol, and its (perfect) privacy against passive corruptions, is standard and 
analogous to the binary case from [GMW87 ]. 



In this section, which is adapted from a preliminary full version of [IPS08], we describe a variant of the 
protocol from [DI06 ] which we use as the efficient outer MPC protocol in our constructions. We restrict the 
attention to the case of black-box fields (alternatively, pseudo-fields), and assume that the field size is super- 
polynomial in the security parameter. (This assumption can be removed at a minor cost to the arithmetic 
complexity.) 

The protocol involves n servers and m clients (m = 2 by default), where only clients have inputs and 
outputs. The protocol is statistically UC-secure against an adaptive adversary corrupting an arbitrary number 
of clients and some constant fraction of the servers. We note that unlike the protocol from [DI06 ], here we 
do not need to guarantee output delivery and may settle for the weaker notion of "security with abort". This 
makes the protocol simpler, as it effectively means that whenever an inconsistency is detected by an honest 
party, this party can broadcast a complaint which makes the protocol abort. 

For simplicity we assume that all n + m parties in the MPC protocol have common access to an oracle 
which broadcasts random field elements, and do not count these elements towards the communication com- 
plexity. In [DI06] this is emulated via a distributed coin-flipping protocol and an e-biased generator [NN90], 
which reduce the communication cost of implementing this procedure. Alternatively, random field elements 
can be directly generated by the m clients in the final protocol via efficient coin-flipping in the OT-hybrid 
model. 

Before describing the protocol, we summarize its main efficiency features. For simplicity we shall 
restrict ourselves to n = 0(k), where k is a statistical security parameter, and a constant number of clients 
m. To evaluate an arithmetic circuit C of size s and multiplicative depth d, the arithmetic communication 
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complexity is 0(s + /c<i)llj Assuming broadcast as an atomic primitive, the protocol requires 0(d) rounds. 
(We note that in the final m-party protocol obtained via the technique of [IPS08], broadcast only needs to be 
performed among the clients; in particular, in the two-party case broadcast can be implemented by directly 
sending the message.) 

The computational complexity will be addressed after we describe the protocol. 

To simplify the following exposition we will only consider the case of two clients Alice and Bob. An 
extension to the case of a larger number of clients is straightforward. 

Another simplifying assumption is that the circuit C consists of d layers, where each layer performs 
addition, subtraction, or multiplication operations on values produced by the previous layer only. Circuits 
of an arbitrary structure can be easily handled at a worst-case additive cost of 0(nd), independently of the 
circuit size. (This cost can be amortized away for almost any natural instance of a big circuit. For instance, 
a sufficient condition for eliminating this cost is that for any two connected layers there are at least n wires 
connecting between the layers.) 

C.l Building Blocks 

The protocol relies on tools and sub-protocols that we describe below. 

Secret sharing for blocks. Shamir's secret sharing scheme [ Sha791 distributes a secret s € F by picking 
a random degree-5 polynomial p such that p(0i) = s, and sending to server j the point p(j). Here F is a 
finite field such that \F\ > n. By 1, 2, . . . , n we denote distinct interpolation points, which in the case of a 
black-box access to F can be picked at random. The generalization of Franklin and Yung HFY921 achieves 
far better efficiency with a minor cost to the security level. In this scheme, a block of £ secrets (s\ , . . . , S£) is 
shared by picking a random degree-5 polynomial p such that p(l—j) = Sj for all j, and distributing to server 
j the point p(j). (Here we assume that —£+l,...,n denote n + £ distinct field elements.) Any set of 5 + 1 
servers can recover the entire block of secrets by interpolation. On the other hand, any set of t = 5 — £ + 1 
servers learn nothing about the block of secrets from their shares. (Secret sharing schemes in which there is 
a gap between the privacy and reconstruction thresholds are often referred to as "ramp schemes".) For our 
purposes, we will choose £ to be a small constant fraction of n and 6 a slightly bigger constant fraction of n 
(for instance, one can choose 5 = n/3 and £ = n/4). This makes the amortized communication overhead 
of distributing a field element constant, while maintaining secrecy against a constant fraction of the servers. 

Adding and multiplying blocks. Addition (or subtraction) and multiplication of shared blocks is analo- 
gous to the use of Shamir's scheme in the BGW protocol [BGW88]. Suppose that a block a = (oi, . . . , at) 
was shared via a polynomial p a and a block b = {pi, . . . , be) was shared via a polynomial p&. The servers 
can then locally compute shares of the polynomial p a + p^, which are valid shares for the sum a + b of the 
two blocks. If each server multiplies its two local shares, the resulting n points are a valid secret-sharing 
using the degree-(25) polynomial p = p a Pb of the block ab = (a\b\, . . . , agbi). Note, however, that even if 
Pa,Pb were obtained from a random secret sharing, p a Pb is not a random degree-(25) secret sharing of ab. 
Thus, if we want to reveal ab we will need to mask p a Pb by a random degree-2<i secret-sharing of a block 
of O's before revealing it. Also, in order to use ab for subsequent computations we will need to reduce its 
degree back to 5. 

18 While we do not attempt here to optimize the additive O(kd) term, we note that a careful implementation of the protocol seems 
to make this term small enough for practical purposes. In particular, the dependence of this term on d can be eliminated for typical 
circuits. 
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Proving membership in a linear space. The protocol will often require a client to distribute to the servers 
a vector v = (vi, . . . , v n ) (where each Vj includes one or more field elements) while assuring them that v 
belongs to some linear space L. This should be done while ensuring that the adversary does not learn more 
information about v than it is entitled to, and while ensuring the honest parties that the shares they end 
up with are consistent with L. For efficiency reasons, we settle for having the shares of the honest parties 
close to being consistent with L. Since we will only use this procedure with L that form an error correcting 
code whose minimal distance is a large constant multiple of 5, the effect of few "incorrect" shares can be 
undone via error-correction. (In fact, in our setting of security with abort error detection will be sufficient.) 
More concretely, our procedure takes input v = (vi, . . . , v n ) € L from a dealer D (Alice or Bob). In the 
presence of an active, adaptive adversary who may corrupt any client and at most t servers, it should have 
the following properties: 

• Completeness: If D is uncorrupted then every honest server j outputs Vj. 

• Soundness: Suppose D is corrupted. Except with negligible probability, either all honest servers reject 
(in which case the dealer is identified as being a cheater), or alternatively the joint outputs of all n 
servers are most 2t-far (in Hamming distance) from some vector in v G L. 

• Zero-Knowledge: If D is uncorrupted, the adversary's view can be simulated from the shares Vj of 
corrupted servers. 

Verifiable Secret Sharing (VSS) can be obtained by applying the above procedure on the linear space 
defined by the valid share vectors. Note that in contrast to standard VSS, we tolerate some inconsistencies 
to the shares on honest servers. Such inconsistencies will be handled by the robustness of the higher level 
protocol. 

Implementing proofs of membership. We will employ a sub-protocol from [DI06] (Protocol 5.1) for 
implementing the above primitive. This protocol amortizes the cost of proving that many vectors v , . . . , v q 
owned by the same dealer D belong to the same linear space L by taking random linear combinations of 
these vectors together with random vectors from L that are used for blinding. The high level structure of 
this protocol is as follows. 

• Distributing shares. D distributes v l , . . . , v q to the servers. 

• Distributing blinding vectors. D distributes a random vector r € L that is used for blinding. (This 
step ensures the zero-knowledge property; soundness does not depend on the valid choice of this r.) 

• Coin-flipping. The players invoke the random field element oracle to obtain a length-g vector defining 
a random linear combination of the q vectors distributed by the dealer. (In JDI06 ] this is implemented 
using distributed coin-flipping and an e-biased generator; in our setting this can be implemented di- 
rectly by the clients in the OT-hybrid model. Moreover, in the case of two clients we let the other 
client, who does not serve as a dealer, pick r on its own.) 

• Proving. The dealer computes the linear combination of its vectors v 1 defined by r, and adds to it the 
corresponding blinding vector. It broadcasts the results. 

• Complaining. Each server applies the linear combination specified by r to its part of the vectors 
distributed by the dealer, and ensures that the result is consistent with the value broadcast in the 
previous step. If any inconsistency is detected, the server broadcasts a complaint and the protocol 
aborts. Also, the protocol aborts if the vector broadcasted by the dealer is not in L. 
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• Outputs. If no server broadcasted a complaint, the servers output the shares distributed by the dealer 
in the first step (discarding the blinding vectors and the results of the coin-flips). 

In the case of a static corruption of servers, if the shares dealt to honest servers are inconsistent, the proto- 
col will abort except with l/\F\ probability, which is assumed to be negligible in k. The adaptive case is 
a bit more involved, since the adversary can choose which servers to corrupt only after the random linear 
combination is revealed. This case is easy to analyze via a union bound (which requires that \F\ > (")). 
Alternatively, a tighter analysis shows that if \F\ is superpolynomial in k then, except with negligible proba- 
bility, either the protocol aborts or there exists a small set B of servers such that all shares held by the honest 
servers excluding those in B are consistent with a valid codeword from L. This condition is sufficient for 
the security of the protocol. 

We will sometimes employ the above protocol in a scenario where vectors v 1 , . . . ,v q are already dis- 
tributed between the servers and known to the dealer, and the dealer wants to convince the servers that these 
shares are consistent with L. In such cases we will employ the above sub-protocol without the first step. 

Proving global linear constraints. We will often need to deal with a more general situation of proving 
that vectors v , . . . ,v q not only lie in the same space L, but also satisfy additional global constraints. A 
typical scenario applies to the case where the v % are shared blocks defined by degree- S polynomials. In such 
a case, we will need to prove that the secrets shared in these blocks satisfy a specified replication pattern 
(dictated by the structure of the circuit C we want to compute). Such a replication pattern specifies which 
entries in the q blocks should be equal. An observation made in [DI06] is that: (1) such a global constraint 
can be broken into at most q£ atomic conditions of the type "entry i in block j should be equal to entry i' 
in block f", and (2) by grouping these atomic conditions into £ 2 types defined by (i, i'), we can apply the 
previous verification procedure to simultaneously verify all conditions in the same type. That is, to verify 
all conditions of type (i, i') each server concatenates his two shares of every pair of blocks that should be 
compared in this type, and then applies the previous verification procedure with L being the linear space of 
points on degree-5 polynomials ip\,p%) which satisfy the constraint p\(l — i) = ^2(1 — i')- Unlike [DI06] 
we will also employ the above procedure in the case where p\ , P2 may be polynomials of different degrees 
(e.g., 5 and 25), but the same technique applies to this more general case as well. 

C.2 The Protocol 

The protocol is a natural extension of the protocol from [DI06 ], which can be viewed as handling the special 
case of constant-depth circuits using a constant number of rounds. We handle circuits of depth d by using 
0(d) rounds of interaction. The protocol from [DI06] handles general functions by first encoding them into 
NC° functions, but such an encoding step is too expensive for our purposes and in any case does not apply 
to the arithmetic setting. The protocol is simplified by the fact that we only need to achieve "security with 
abort", as opposed to the full security of the protocol from [DI06 ]. 

Recall that we assume the circuit C to consist of d layers each, and that each gate in layer i depends on 
two outputs from from layer i — 1. 

The high level strategy is to pack the inputs for each layer into blocks in a way that allows to evaluate 
multiplication, addition, and subtraction gates in this layer "in parallel" on pairs of blocks. That is, the 
computation of the layer will consist of disjoint parallel computations of the form a ■ b, a + b, and a — b, 
where a and b are blocks of £ binary values and the ring operation is performed coordinate-wise. This will 
require blocks to be set up so that certain inputs appear in several places. Such a replication pattern will be 
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enforced using the procedure described above. Throughout the protocol, if a prover is caught cheating the 
protocol is aborted. 

The protocol will proceed as follows: 

1. Sharing inputs. The clients arrange their inputs into blocks with a replication pattern that sets up the 
parallel evaluation for the first layer (namely, so that the first layer will be evaluated by applying the 
same arithmetic operation to blocks 1,2, to blocks 3,4, etc.). Each client then secret-shares its blocks, 
proving to the servers that the shares of each block agree with a polynomial of degree at most 5 and 
that the secrets in the shared blocks satisfy the replication pattern determined by the first layer of C. 
(Such proofs are described in the previous section.) 

If we want to enforce input values to be boolean (namely, either or 1) this can be done a standard 
way by letting the servers securely reveal 1 — a ■ a for each block a (which should evaluate to a block 
of O's). 

2. Evaluating C on shared blocks. The main part of the protocol is divided into d phases, one for 
evaluating each layer of C. For h = 1,2, . . . ,dwe repeat the following: 

• Combining and and blinding. At the beginning of the phase, the inputs to layer h are arranged 
into blocks, so that the outputs of layer h can be obtained by performing some arithmetic opera- 
tion on each consecutive pair of blocks. Moreover, each block is secret-shared using a degree-<5 
polynomial. Addition and subtraction on blocks can be handled non-interactively by simply 
letting each server locally add or subtract its two shares. In the following we address the more 
involved case of multiplication. We would like to reveal the outputs of the layer to Alice, masked 
by random blinding blocks picked by Bob. For this, Bob will VSS random blocks, one for each 
block of output. The secret-sharing of these blocks is done using polynomials of degree 25. 
(Again, verifying that the shares distributed by Bob are valid is done using the procedure de- 
scribed above.) For every pair of input blocks a, b whose product is computed, each server j 
locally computes the degree-2 function c(j) = a(j)b(j) + r(j), where a(j), b(j) are its shares 
of a, b and r(j) is its share of the corresponding blinding block r distributed by Bob. For each 
pair of blocks combined in this way, the server sends his output (a single field element) to Alice. 
Note that the points c(j) lie on a random degree-25 polynomial p c , and thus reveal no infor- 
mation about a, b. Moreover, the polynomial p c can be viewed as some valid degree-2<5 secret 
sharing of the block c = ab + r. 

• Reducing degree and rearranging blocks for layer h+1. Alice checks that the points c(j) indeed 
lie on a polynomial p c of degree at most 25 (otherwise she aborts). Then she recovers the blinded 
output block c = ab + r by letting Cj = p c (l — j). Now Alice uses all blinded blocks c obtained 
in this way to set up the (blinded) blocks for computing layer h + 1. 

For this, she sets up a new set of blocks that are obtained by applying a projection (namely, 
permuting and copying) to the blocks c that corresponds to the structure of layer h+1. (In 
particular, the number of new blocks in which an entry in a block c will appear is precisely the 
fan-out of the corresponding wire in C.) Let c' denote the rearranged blinded blocks. 
Now Alice secret-shares each block d using a degree-(5 polynomial p c >. She needs to prove 
to the servers that the shares she distributed are of degree 5 and that the entries of the shared 
blocks d satisfy the required relation with respect to the blocks c that are already shared between 
the servers using degree-25 polynomials. Such a proof can be efficiently carried out using the 
procedure described above. Note that pairs of polynomials (p c ,p c ') such that p c is of degree 
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at most 25, p c > is of degree at most 5, and p c (i) = p c '(j) form a linear space (for any fixed 
and hence the 2n evaluations of such polynomials on the points that correspond to the 
servers form a linear subspace of F 2n . Also, the corresponding code will have a large minimal 
distance because of the degree restriction, which ensures that the adversary cannot corrupt a valid 
codeword without being detected (or even corrected, in the setting of security without abort). 

• Unblinding. To set up the input blocks for the evaluation of layer h + 1, we need to cancel 
the effect of the blinding polynomials p r distributed by Bob. For this, Bob distributes random 
degree-5 unblinding polynomials p r / that encode blocks r' obtained by applying to the r blocks 
the same projection defined by the structure of layer h + 1 that was applied by Alice. Bob proves 
that the polynomials p r > are consistent with the p r similarly to the corresponding proof of Alice 
in the previous step. (In fact, both sharing the p r i and proving their correctness could be done in 
the first step.) Finally, each server obtains its share of an input block a for layer h + 1 by letting 
«(i) = c'(j) - r'(j). 

3. Delivering outputs. The outputs of C are revealed to the clients by having the servers send their shares 
of each output block to the client who should receive it. The client checks that the n values received 
for each block are consistent with a degree-d polynomial (otherwise it aborts), and recovers the output 
of this block. 

Communication complexity. By the choice of parameters, the communication overhead of encoding each 
block of field elements is constant. Accounting for narrow layers (whose size is smaller than one block) as 
well as wires between non-adjacent layers, we get an additive arithmetic communication overhead of 0(nd) 
(accounting for the worst-case scenario of one may need to maintain a block of values to be used in each 
subsequent layer). As noted above, this overhead can be reduced or even eliminated in most typical cases. 
Finally, the cost of picking random field elements for the random linear combinations can be reduced via the 
use of (arithmetic) e-biased generators or directly improved via an alternative procedure described below. 

Computational complexity. Using known FFT-based techniques for multipoint polynomial evaluation 
and interpolation, both the secret sharing and the reconstruction of a block of length I with n = 0(i) 
servers can be done with arithmetic complexity of 0(^log 2 1) [vzGG99]. Choosing evaluation points which 
are n-th roots of unity, this complexity can be reduced to 0(1 log £) (at the expense of sacrificing the black- 
box use of the field). The computational bottleneck in the above protocol is the procedure for verifying that 
shared blocks satisfy the replication pattern corresponding to C. This can be improved by converting C into 
an equivalent circuit C which reduces the overhead of this procedure. A more direct and efficient way for 
implementing the above procedure can be obtained by adapting an idea from [Gro08] to our setting. To test 
that a set of M blocks vi satisfies a given replication pattern, pick a set of M random blocks rj and test that 
ViTi = ^2 Vir\, where the blocks r\ are obtained by permuting the blocks in rj along the "cycles" defined 
by the replication pattern. (That is, for each set of positions in the blocks Vi which should be tested to be 
equal, apply a cyclic shift to the values in the corresponding entries of the blocks rj.) This sum of inner 
products can be computed by adding up all pointwise-products of Vi and r[ together with a random block 
whose entries add up to 0. 
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